Estonia proposes NATO-like expenditure rule for cybersecurity

Andres Sutt emphasised that cybersecurity is chronically underfunded and that it needs to be put on the top of the priority list if the digitalisation of the private and public sectors is supposed to be successful. [Aron Urb]

Estonian Minister of Entrepreneurship and Information Technology Andres Sutt proposed the introduction of NATO-like expenditure rules for cybersecurity spending of the private and public sector to close the investment gap and tackle cyber threats.

While there are a number of initiatives on the EU level – like the Cybersecurity Act, or the NIS2 directive – these measures will not have a tangible effect unless the investment is stepped up considerably, Sutt stressed during the Tallinn Digital Summit on Tuesday (7 September).

“Our aim should be no less than to agree on a global framework on cybersecurity, just like NATO has the 2% target of GDP on defence, we have to have a comparable target, methodology and benchmark for cybersecurity,” he said.

Sutt emphasised that cybersecurity is chronically underfunded and that it needs to be put at the top of the priority list if the digitalisation of the private and public sectors is supposed to be successful.

To achieve this, he proposed to establish an internationally agreed and unified methodology on “how to measure cybersecurity level investment or cyber preparedness.”

Furthermore, he proposed to set a tangible target for the level of investments into cybersecurity for the private and the public sector alike.

Implementing these measures would be crucial to increase the trust of people in the digital world and make Europe fit for the digital world, Sutt stressed.

Cyberattacks have surged due to the shift to digitalisation during the COVID-19 pandemic, with the latest examples being the Solarwinds and Kaseya attacks.

Furthermore, the number of phishing attacks has increased by 667% in the first months of the pandemic, a spokesperson of the European Union Agency for Cybersecurity (ENISA) told EURACTIV.

Mixed responses

The proposal was met with mixed responses from the ministers attending the Tallinn Digital Summit.

While Irish Minister of State Ossiam Smyth said that “money is really important”, he also stressed that increasing investment alone will not suffice to tackle cybersecurity challenges properly. Instead, he stressed the importance of cutting off criminals from their money supply.

A similar point was made by the Austrian Minister for Digitalisation and Economic Affairs, Margarete Schramböck. “If you go to the darknet, you can see how easy it is to buy cyberattacks as a service,” she said, adding that this is one of the crucial problems that need to be addressed.

Schramböck stated that NATO-style expenditure rules are an “idea to consider” but emphasised that “spending money only for the sake of spending money is not the key.” Investments in cybersecurity must be streamlined and aimed at the sharing of best practices and quick information exchange, she added.

UK State Secretary for Digital, Oliver Dowden, welcomed the idea and stated that this could “make a difference, especially in regard to government spending”.

Sutt replied he was “very glad that this proposal already provoked a debate. Let’s keep the ball rolling and see how far we can get”.

Estonia, which is one of the most digitalised countries on the globe, has made cybersecurity one of its key priorities in recent years.

The Baltic country, which currently ranks third in the Global Cybersecurity Index, initiated the first-ever high-level debate on cybersecurity in the United Nations Security Council in June.

[Edited by Luca Bertuzzi/Zoran Radosavljevic]

Read more with Euractiv

Subscribe to our newsletters

Subscribe